CURLOPT_CAINFO_BLOB feature + OpenSSL backend implementation #5664
Conversation
| @@ -1971,6 +1971,10 @@ typedef enum { | |||
| CURLOPT(CURLOPT_PROXY_ISSUERCERT, CURLOPTTYPE_STRINGPOINT, 296), | |||
| CURLOPT(CURLOPT_PROXY_ISSUERCERT_BLOB, CURLOPTTYPE_BLOB, 297), | |||
|
|
|||
| /* The CAinfo blob used to validate the peer certificate | |||
| this option is used only if SSL_VERIFYPEER is true */ | |||
| CURLOPT(CURLOPT_CAINFO_BLOB, CURLOPTTYPE_BLOB, 298), | |||
There was a problem hiding this comment.
Adds a new option, but there's no documentation and no test case verifying it!
There was a problem hiding this comment.
Good point! Will do if necessary.
| if(!ssl_cainfo_bio) | ||
| return CURLE_SSL_CERTPROBLEM; | ||
| while (cert = PEM_read_bio_X509(ssl_cainfo_bio, NULL, 0, NULL)) { | ||
| X509_STORE_add_cert(SSL_CTX_get_cert_store(backend->ctx), cert); |
There was a problem hiding this comment.
It adds the cert to the store, right? Will repeated invokes re-using the same handle then readd the same cert again?
There was a problem hiding this comment.
Judging from the code, this is done absolutely the same way and at the same point as importing the windows cert store, as well as loading certs from files/dirs. The SSL context is created afresh at the start of this function:
if(backend->ctx) SSL_CTX_free(backend->ctx); backend->ctx = SSL_CTX_new(req_method);
|
Is this the same feature as #4679 ? |
|
|
I cloned #4679 on #5677 with just rebasing on current master But I don't known which PR is better as base between 4679-5677 abd this 5664 |
|
Duplicate of #5677 |
This allows setting CAinfo bundle from memory.
This is an improved version of my old CABUNDLE/CABUNDLESIZE pull request.
I can also create an mbedTLS implementation if necessary.